Malware Leverages Google Drive

Thursday, October 23, 2014 @ 05:10 PM gHale

There is a new type of information-stealing malware targeting government agencies that can pull files from compromised computers to Google Drive, researchers said.

Dubbed Drigo, the malware uploads Excel, Word, PDF, text and Powerpoint files it finds on the infected computer, including the recycle bin, to Google Drive. In order to do this, the malware contains the client_id, the client_secret and a refresh token.

“Refresh tokens are needed as part of the OAuth 2.0 protocol, which is used by Google Drive. This protocol is used by Twitter, Facebook and other sites to use their accounts to log in to a different website,” said Trend Micro threats analyst Kervin Alintanahin in a blog post.

“Access tokens are used to have access on a Google Drive account. However, access tokens expire so refresh tokens are needed to get new access tokens. We decrypted communication from the malware and saw activity such as requests for new tokens and uploading files.”

The researchers managed to look into the Google Drive account in question, and the names of the files they found lead them to believe the attackers targeted mostly government agencies.

In fact, they said the malware is purely on a reconnaissance mission.

“After all, one of the key aspects in a successful attack is having enough information on the target. The more information they can gather, the more vector of attack they can use on their target,” Alintanahin said.